Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

How to hack stuff for cash

Security analysis of ATMs, PoS and EPT solutions

  • Sé el primero en comentar

How to hack stuff for cash

  1. 1. How to hack stuff for cash Weaknesses in ATMs and PoS systems and how to exploit them 02.06.2014 1Marco Schuster, CashPOINT
  2. 2. About me • Name: Marco Schuster • Working in the IT industry since over 15 years, 8 of which as small business in Germany • Developer of CashPOINT PoS software • Maintainer of PHP PC/SC smartcard communication interface • Experience in Windows / Linux client and server management, Web service development, Web security, smart card development using BasicCard • Homepage: • Mail: 02.06.2014 2Marco Schuster, CashPOINT
  3. 3. About this talk • This talk presents an overview of the most commonly used attack vectors on ATMs (Automated Teller Machines), PoS (Point of Sale) software and EPTs (Electronic Payment Terminal). • Part I shows the weaknesses in ATMs as well as ways to exploit them, ordered by the „commonness“ factor (i.e. how many crimes are committed using the vector and how widespread this type of crime is) • Part II shows the weaknesses and exploits in PoS/EPT systems, ordered as above • At the end, there will be a summary of the most important points in this talk 02.06.2014 3Marco Schuster, CashPOINT
  4. 4. Glossary • ATM: Automated Teller Machine, a machine distributing / accepting cash for bank customers • CC: credit card / customer card • EFT: Electronic Financial Terminal • EPT: Electronic Payment Terminal • EMV: Europay/MasterCard/Visa, a network of card issuing companies who developed an internationally compatible standard of communicating with payment smart cards in order to have a secure replacement for mag-stripe cards • Mag stripe: magnetic, usually black stripe on the back side of CCs, containing three tracks for storing data • PoS: Point Of Sale terminal 02.06.2014 4Marco Schuster, CashPOINT
  5. 5. Glossary • RFID: Radio Frequency Identification, once passive-only the term has now expanded to also include active- processing capable cards and tags. Early models only could respond with a unique ID, modern ones are essentially micro-computers with sophisticated crypto and processing capabilities • TEMPEST: also known as „van-Eck-Phreaking“, passive interception of radio frequency emissions of a device in order to obtain internal, presumed protected, data like cryptographic keys • ZVT / OPI: two protocols for PoS-EPT communication 02.06.2014 5Marco Schuster, CashPOINT
  6. 6. Part I: ATMs • ATMs are basically just computers • Most ATMs run Windows, most of these still run XP (as evidenced by lots of panic-ridden news articles when MS discontinued XP support) • Depending on the operator, these XP machines may or not may be subject to the usual MS patch days => hackers have a considerable time window to exploit stuff • Connectivity is provided in different ways: – (A)DSL modems+routers embedded into the ATM – Ethernet connections supplied by the location where the ATM is set up (e.g. inside a bank an ATM will likely use the building‘s network infrastructure) – WiFi – 3G/UMTS in remote locations 02.06.2014 6Marco Schuster, CashPOINT
  7. 7. ATMs: components • ATMs usually consist of the following components: – TFT or tube monitor with softkeys and / or touchpanel interface – Card slot – PIN pad – Cash dispenser, inside a rugged safe – Some models: cash acceptors / bill recyclers – Some models: receipt printer – Some models: 3.5mm jack or speakers for the blind – Alarm systems, anti-hijack measures, UPS 02.06.2014 7Marco Schuster, CashPOINT
  8. 8. Photo: component diagram Component overview of a bank kiosk (without cash dispenser) Source: 02.06.2014 8Marco Schuster, CashPOINT
  9. 9. ATMs: weaknesses • Obvious: steal the entire ATM – People have been observed to even rip ATMs out of walls and loading them onto pickups – Counter measure: equip cash safe with irreversible marking ink, equip ATM with battery-backed GPS trackers, reinforce mountings • Obvious: blow up the ATM using gas – Following media reports, this type of crime has risen, with massive damage for next to zero booty; most attacked targets are ticket vending machines – Counter measure: fill empty areas with foam or inert gas, add gas warning sensors or even catalysts to decompose the gas 02.06.2014 9Marco Schuster, CashPOINT
  10. 10. Side note: using gas to blow up ATMs • Gas source: liquid gas, commonly available in tobacco stores for lighter refill or by emptying desodorant cans using propane/butane as carrier/propelllant • 300ml liquid propane/butane gas mix cost approx. 2-3 € • 1 liter liquid gas expands to a volume of 260 liters => one of these refill bottles can be emptied for approx. 86 liters of gas • Propane/butane gas has a very narrow ignition window: depending on the mixture ratio of propane and butane, ignition and explosion can happen only at 1.5 to 9.5% mixture ratio with oxygen 02.06.2014 10Marco Schuster, CashPOINT
  11. 11. Side note: using gas to blow up ATMs • If the thief doesn‘t put enough gas into the machine to achieve explosion, there‘s no risk for anyone • If the thief puts in too much gas, though, and leaves the ATM because of the failed explosion, he creates a time bomb! As soon as due to air flow enough oxygen replaces gas, it only needs a single spark to ignite the ATM and potentially kill or severely injure random bypassers • Sparks need not necessarily originate inside the machine (brush-using fans), users can „generate“ sparks by static discharge on the grounded metal chassis • Gas attacks haven‘t only targeted ATMs, but also gambling machines, ticket vending machines (even one in direct line of view of a prison and a police station in Germany) 02.06.2014 11Marco Schuster, CashPOINT
  12. 12. ATMs: weaknesses • Obvious: wait near stand-alone ATMs in lonely areas and extort money from people at gun/knife point or pickpocket them • Pretty common: „Lebanese loop“ – Prevent cash or customer card from exiting the ATM by blocking dispenser flap – wait nearby to offer „assistance“ (act as if you are service personnel, note down customer data and later on take the cash) – Addition: replace stickers with the bank‘s phone number with one controlled by the con artists • Pretty common: card skimming – Install a magstripe skimmer and either a double „PIN pad“ or a camera to record the PIN – Only install a card skimmer and clone the data onto a blank card to use for shopping (where no PIN is required) – Countermeasure: widespread implementation of smartcard chip (EMV chip), which cannot be skimmed or cloned 02.06.2014 12Marco Schuster, CashPOINT
  13. 13. Photo: Lebanese Loop 02.06.2014 13Marco Schuster, CashPOINT A simple Lebanese Loop Source:
  14. 14. Photo: ATM skimmer Left: skimmer, right: PIN-recording camera Source: 02.06.2014 14Marco Schuster, CashPOINT
  15. 15. Photo: Double PIN pad 02.06.2014 15Marco Schuster, CashPOINT Double PIN pad Source:
  16. 16. ATMs: weaknesses • Highly advanced: software manipulation of the ATM – Method A: simply command the ATM to dump the entire cash in the safe – Method B: make the ATM record magstripe data and / or bank account numbers as well as the PIN – Needs some form of hardware access to the ATM – Some ATM models have common, manufacturer-supplied keys allowing access to the computer or maintenance ports… • Highly advanced: network infiltration – Needs an ATM with known remote vulnerability – Needs direct access into the network – e.g. by attacking the building wiring 02.06.2014 16Marco Schuster, CashPOINT
  17. 17. ATMs: attacking the network • Many banks have 24/7 operations, outside of normal business hours the premises are not actively guarded • Some banks do not protect their Ethernet cables (or worse: the sockets) • Attack vector: insert a small wireless router or a network tap, either by plugging into the sockets or hot-wiring the Ethernet cable • Infiltration is best done by posing / working as cleaning personel (low pay jobs, mostly done by subcontractors without rigorous security checks) • If done right, a network-sided IDS cannot detect this (not a single packet with wrong MAC address may leave the device, every „spoofed“ packet must be rewritten) 02.06.2014 17Marco Schuster, CashPOINT
  18. 18. ATMs: attacking the network • Needs a remote executable vulnerability (as ATM-to- clearinghouse communication is heavily encrypted)… turns out these are PLENTY: http://www.exploit- • I can haz root access? • Now the hacker is free to mess with the machine – including launching the debug or maintenance tools and dumping the cash in the safe 02.06.2014 18Marco Schuster, CashPOINT
  19. 19. Photo: WLAN tap This is a DWL-G730AP micro router, smaller than a box of cigarettes Photo: 02.06.2014 19Marco Schuster, CashPOINT
  20. 20. ATMs: attacking the machine • Certain models have front-side USB connectors, exposed upon opening maintenance hatches • These can be drilled open – and the hole filled with a plastic cap (see references for news article) • Hackers just open the plastic cap and attach devices like a Rubber Ducky which act as keyboards, or Android cellphones exposing a HID keyboard and a USB mass storage to hold the malware • Countermeasure: disable the USB port using a hardware switch (cut D+/D- lines) not accessible by drilling, and remote-notify NOC upon attachment of any USB peripheral 02.06.2014 20Marco Schuster, CashPOINT
  21. 21. ATMs: attacking the machine Multiple exploit vectors for the malware: – „Hit and run“: command ATM to dispense the cash and reboot to eliminate the traces – Persistent malware: • Harvest CC / magstripe data • sniff the PIN pad or the softkeys for a secret pattern which initiates the malware • dump the cash or print harvested CC data on a receipt printer – Network spread: spread to other ATMs or even the bank network 02.06.2014 21Marco Schuster, CashPOINT
  22. 22. ATMs: attacking the machine • Certain models have been known to utilize manufacturer-supplied, common keys to allow access to the computer compartment – no need for drilling, no visible traces of forced entry! • Some hackers (see references) have installed cellphones or 3G sticks inside the ATM to obtain remote access – as long as the only people opening the ATMs are the guys refilling the safes this isn‘t noticeable due to the incredibly small size of these devices 02.06.2014 22Marco Schuster, CashPOINT
  23. 23. Photo: USB Rubber Ducky USB Rubber Ducky, US$ 39.90 Photo + Shop: 02.06.2014 23Marco Schuster, CashPOINT
  24. 24. ATMs: weaknesses • Highly advanced: manipulated smartcards – Fully programmable smart cards with even low-level output manipulation: „BasicCard“ by ZeitControl (, cost 5.50 € for 32kByte storage => enough for common trojan payloads or stub loaders! – Modern banking cards also allow RFID communication (e.g. German Sparkasse cards), used as a security feature (anti cloning) – Other attack way (used e.g. in 2014-05 in Macau): interception of smartcard commands to e.g. manipulate payment authorisation • Extremely advanced: TEMPEST attacks – Record RF emissions from the computer or the components – Up to a couple of years ago, the components required were only affordable by state-level actors – These days, even amateurs can conduct TEMPEST research, the only barrier is the level of knowledge required 02.06.2014 24Marco Schuster, CashPOINT
  25. 25. Smart Card overview • Smart cards are surprisingly complex… • Low level communication: standard ISO 7816 • Low level either handled by combination of microprocessor in the card reader and the OS driver (Windows/Linux/OSX: PC/SC library) or by dedicated microcontroller • Data transfer between app and card is in APDU format (Application Data Unit), essentially a binary protocol with request and responses • Old versions: 256 bytes input, 256 bytes response, with extension up to 65536 bytes 02.06.2014 25Marco Schuster, CashPOINT
  26. 26. Smart Card overview • Weakness is obvious: higher-level stacks assuming only 256 bytes return length get more than 256 bytes from the PC/SC stack… buffer overflows to the hacker‘s aid! • Next weakness: most high-level communication stacks assume TLV (Tag-Length-Value) format => overflow the Length byte and cause random memory seeks, strcpy overflows,… • Depending which part of the stack you exploit, you have different possibilities 02.06.2014 26Marco Schuster, CashPOINT
  27. 27. Photo: Fake smart cards Smartcard emulators, manipulated smartcards Source: 02.06.2014 27Marco Schuster, CashPOINT
  28. 28. ATMs: TEMPEST attacks • Inarguably, TEMPEST attacks are the by far most dangerous attacks since some TEMPEST forms even work over dozens of meters of distance between attacker and target • For now, TEMPEST attacks are rare due to the high knowledge required to execute them • Multiple attack vectors: even the power lines can be used to derive cryptographic keys! 02.06.2014 28Marco Schuster, CashPOINT
  29. 29. ATMs: TEMPEST attacks • New RFID functionality in banking cards, used as security measure, can infact even endanger the system – what happens when a smartcard is talked to simultaneously by RFID and by wire? How robust are the smartcard operating systems? • Currently, TEMPEST protection is only required by military or secret service for their IT devices – this is bound to change! • As traditional card/ATM fraud attacks becomes harder, hacker groups will redirect substantial financial and R&D resources to TEMPEST attacks 02.06.2014 29Marco Schuster, CashPOINT
  30. 30. ATMs: Situation overview • Volume of ATM and card clone fraud: SEPA area approx. € 1 billion in 2012 according to ECB • Constant arms race between ATM manufacturers and criminals • card cloning occurs in „rich“ Western countries with high-secure ATMs and everything • Usage of the cloned cards mostly happens in lesser developed countries like the former Soviet bloc and Mexico where ATMs still accept magstripe-only cards and security awareness is not widespread • With these sums at stake, the chance is high that criminal enterprises will research and employ previously unheard-of tactics like TEMPEST compared to earlier, more common tactics • Development of „kits“ for usage by small criminals has been observed in the gambling fraud industry as well as in the card-fraud industry, this trend is likely to rise 02.06.2014 30Marco Schuster, CashPOINT
  31. 31. Part II: PoS software • PoS (Point of Sale) systems are software systems used by cashiers, barkeepers etc. in all kinds of retail stores • Usage sometimes required by law (e.g. in Belgium for bars) • PoS systems widely vary in functionality (and price) – Simple ones just allow receipt printing – Full-blown solutions like SAP or CashPOINT allow entire business management, including customer management, payment tracking and more – Depending on legislation, a „fiscal memory“ may be required to allow tax authorities to check revenue/sales records for tax fraud • Standalone systems or server-based systems, some even with mobile device support 02.06.2014 31Marco Schuster, CashPOINT
  32. 32. PoS: Weaknesses • Obvious: Manipulation by clerks – Tax fraud by entering wrong VAT rates (takeaway vs in- house) – Overcharging customers (e.g. in bars, strip clubs, discotheques) – Deletion of receipt positions • Obvious: fraudulent swiping of credit cards by clerks – Clerk takes customer‘s CC to the payment terminal and silently swipes it through a cloner or a Stripe reader – Double swipe of the same amount – Weakness of the system: CC swiping does not require PIN authorisation! 02.06.2014 32Marco Schuster, CashPOINT
  33. 33. PoS: Weaknesses • Advanced: Many PoS systems in the US work directly with raw magstripe data from credit cards – Magstripe / CC data usually must be strongly protected and encrypted – This is how Target was hacked – the hacker manipulated the PoS software to silently record CC data – Countermeasure: dedicated, protected terminals (EFT – Electronic Financial Terminal / EPT – Electronic Payment Terminal) which do not store data on the terminal, but in a centralized clearing house • European system usually works with central clearing houses and Chip+PIN (aka EMV), eliminating swipe fraud 02.06.2014 33Marco Schuster, CashPOINT
  34. 34. Photo: EPT (CCV VX680) CCV VX680 EPT 02.06.2014 34Marco Schuster, CashPOINT
  35. 35. PoS: Communication with EPTs • This describes ONLY the situation in Germany, I am not familiar with US EPT systems • Mode 1: the cashier enters the amount by hand and just takes the receipts => manipulation only possible with CCs without EMV enforcement, everything other requires customer PIN • Mode 2: PoS system transfers commands to EPT by RS232, LAN or WiFi; EPT and PoS work together to execute the payment 02.06.2014 35Marco Schuster, CashPOINT
  36. 36. EPT: Communication with PoS • Two widely adopted protocols, both developed by vendors Wincor, CCV and others – ZVT • old, REALLY old protocol with structures and handling similar to smartcard APDUs • Same weaknesses apply here: boundary overflows, widespread, subtle differences in implementations across vendors • CONSTANT upgrade of stacks required in order to be able to parse the binary protocol! • Communication via RS232 or wrapped in TCP/IP • Open specification – OPI (Open Payments Initiative) • XML messages transferred by TCP/IP allow usage of robust, well-tested software stacks • Specification not public, but freely obtainable from CCV and Wincor • Neither ZVT nor OPI support any form of encryption or message authentication! Only the clearinghouse communication is encrypted 02.06.2014 36Marco Schuster, CashPOINT
  37. 37. EPT: Communication with PoS • PoS transfers high-level commands to EPT, EPT acts and returns response • Commands include stuff like „Deduct payment, refund payment, Increase/decrease loyalty card points, Sync with clearing house, Read raw magstripe data“ • YES. „Read raw magstripe data“ or „CardSwipe“ (OPI). This is no joke. It will return the raw data of all three tracks of any mag stripe. • EPTs respond to pings; while ZVT does not require a specific port, OPI hard-wired TCP 20007 – thus making discovery incredibly easy 02.06.2014 37Marco Schuster, CashPOINT
  38. 38. EPT: Normal payment data/command flow 1. Cashier presses „Pay Card“ button on PoS 2. PoS software sends „Deduct 5.00 €“ to EPT 3. EPT asks customer to insert card or swipe card 4. Customer does as required – if the POS determines that a PIN is required, then the EPT accepts the PIN, else the customer has to sign the backside of the merchant receipt 5. EPT returns „Payment successful“ or „Payment denied“ to PoS 02.06.2014 38Marco Schuster, CashPOINT
  39. 39. EPT: Attack 1 – manipulated PoS software • Now, we assume a manipulated PoS… 1. Cashier presses „Pay Card“ button 2. PoS software sends „Swipe Card“ command to EPT 3. EPT tells customer „Swipe card…“ 4. Customer assumes that EPT wants a swipe payment => swipes card 5. EPT returns all three tracks to PoS 6. PoS (trojan) stores the track data 7. PoS sends „Deduct 5.00 €“ to EPT 8. (see normal payment flow) • Cashier assumes a mis-read of the card, no one has any reason to be suspicious… until a couple of months later, when cloned cards appear! • A video demonstrating this attack will be published on our website 02.06.2014 39Marco Schuster, CashPOINT
  40. 40. EPT: Attack 2 – Card swipe by network intrusion • This only works with network-attached EPT • OPI does not require any form of authentication, it will blindly follow ANY orders from ANY IP address! No way of restriction! • ZVT protocol supports authentication but many EPTs don‘t implement it! Besides, it‘s just a 6-digit PIN which is sent unencrypted => one Wireshark trace obtained using ARP spoofing will deliver it • Attacker, using a cellphone, launches the card swipe command right before the cashier presses „Pay Card“ button on PoS 02.06.2014 40Marco Schuster, CashPOINT
  41. 41. EPT: Attack 3 – hack the EPT by network intrusion • Again, this attack requires a network-connected EPT • ZVT is an ugly, complex, grown protocol full of quirks • ZVT was built originally as a serial-port, RS232 communication protocol and thus had no security built in – as it was not needed. Only when it was wrapped in TCP/IP, the security problems arose • OPI was initiated in 2003 – the author fails to understand why in 2003 anyone right in his mind would develop a network-based standard without thinking about security! • Every implementation has bugs • People have used offset attacks, length attacks and other stuff to obtain code execution on EPTs 02.06.2014 41Marco Schuster, CashPOINT
  42. 42. EPT: Attack 4 – hack the EPT in hardware • Automated fuel pumps are unmonitored… • Open the fuel pump using common master keys or by lockpicking • Reflash the EPT firmware to sniff CC data and PINs • Close the fuel pump • Wait a couple of months, then profit! (See references for an example news article) 02.06.2014 42Marco Schuster, CashPOINT
  43. 43. EPT: Attack 5 – silently swap EPTs • Stores are a primary target for thieves • So, thieves break in into a retail store and steal a couple low-value items… everyone thinks a couple junkies needed stuff to sell for drugs, just the usual shit every merchant has to deal with sooner or later • No one bothers to check the EPTs – after all, everything looks like the usual junkies, not like a bunch of pro hackers • Only a couple of months later, massive card fraud appears with the retail store as common denominator • Now the EPTs turn out to be swapped with manipulated ones or the PoS systems hotwired… • This has happened multiple times already, see the References 02.06.2014 43Marco Schuster, CashPOINT
  44. 44. EPT: Attack 5 – silently swap EPTs • EPT swaps can also be done by rogue staff • MANY people do not protect their EPTs, not even from customers • The author knows about people using the manager PIN „000000“ in multiple restaurants to silently disable their EPTs (by deactivating their network interface) • All you need to swap an EPT is the Terminal ID and the network config parameters – the TID is on every receipt and the network config can be printed via Manager PIN 02.06.2014 44Marco Schuster, CashPOINT
  45. 45. EPT: Attack 5 – silently swap EPTs • A manipulated and swapped EPT can only be detected by visually inspecting it and comparing the sticker with the hardware ID • The only identifier visible to a PoS system is the TID • As long as no stolen card data is used and the fraud detected and the frauds linked to the specific terminal, usually no one will inspect it • Countermeasure: implement HSM and a challenge-response cryptography – Every terminal has a priv/pub keypair, kept only on the device – Every transaction must be signed with the private key so that the PoS or the cashier can check the signature against the public key – Even this measure only protects against terminal swap, but not against firmware reflashing or memory-only exploits… 02.06.2014 45Marco Schuster, CashPOINT
  46. 46. EPT: Attack 6 – MITM the payment flow to reduce the paid amount • Once again, this requires network access, preferably in form of a WiFi tap • As said, both ZVT and OPI totally lack any form of encryption and authentication or state tracking • Divert all traffic to and from the EPT to your cellphone 02.06.2014 46Marco Schuster, CashPOINT
  47. 47. EPT: Attack 6 – MITM the payment flow to reduce the paid amount Assume a fraudulent customer buying a MacBook 1. Cashier presses „Pay Card“ 2. PoS transfers „Deduct 2.000 €“ 3. EPT displays „Pay 2.000 €“ to cashier, cashier hands over EPT to customer so he can input the PIN 4. Customer cellphone sends „Abort“ and „Pay 2 €“ to EPT 5. Customer pays 2 € 6. Customer cellphone transmits „2.000 € successfully paid“ to PoS, together with a faked receipt to be printed on the invoice 7. Only at the end of the day the discrepancy is detected when syncing 02.06.2014 47Marco Schuster, CashPOINT
  48. 48. EPT: Attack 6 – MITM the payment flow to reduce the paid amount • It is not sufficient to just return a „Payment successful“ without paying at all, as the cashier might determine something is wrong by listening • Most terminals use different beep tones for successful or declined payments • Best use stolen cards or strawmen for this type of fraud as the faked purchase will show up in the books • Two-headed terminals with one display for the cashier and one for the customer prevent this exploit as long as the cashier looks on the display • The smaller the faked amount is, the less likely is an investigation (no one will try to find out where 10 € went missing, but 1.000 € discrepancy will definitely raise red flags) 02.06.2014 48Marco Schuster, CashPOINT
  49. 49. EPT: Attack 7 – MITM intercept the receipts • A passive MITM attack (either half-active by ARP spoofing or totally passive by e.g. using hubs instead of switches, connecting to monitor port on the switch etc.) can yield interesting data, too • Remember that OPI and ZVT are unencrypted? • Both OPI and ZVT allow for receipt printout by the PoS system => the receipt data passes in cleartext on the network • Customers keep throwing away the receipts, same for merchants – merchants are required to keep them in case of disputes – customers should be required, but are not – Many just throw them away and rely on the banks to not mess stuff up • These receipts carry personal data of the cardholder 02.06.2014 49Marco Schuster, CashPOINT
  50. 50. EPT: Attack 7 – MITM intercept the receipts • Merchant receipts contain raw data, including the card number • Customer receipts contain the data with sensitive parts blanked / replaced by „X“ • Merchant receipts and customer receipts can be intercepted or replaced (see attack #7 for an exploit) • Current receipts do not include bank account data any more, older terminals still do – Reason: fraud using the data from thrown away receipts – This problem will be eliminated over time as the terminals get updated 02.06.2014 50Marco Schuster, CashPOINT
  51. 51. EPT: Attack 8 – technician software • „If it looks like a duck, quacks like a duck, it must be a duck“ vs „If it looks like a manufacturer technician, quacks like a manufacturer technician, it IS a manufacturer technician“ • Use the vendor-provided configuration software to read out the terminal configuration • This hasn‘t been confirmed fixed by the manufacturer, so the brand and model will not be named • Vendor management tools run either over RS232, USB or even the network • These tools were built on the assumption „Local links may never be MITMd, no hackers will ever use this software to hack“… WRONG. 02.06.2014 51Marco Schuster, CashPOINT
  52. 52. EPT: Attack 8 – technician software • The service tool allows read and write of every configuration setting… yes, every single one • No, it does not require any authentication • Yes, it even works over TCP/IP (tap the target network!) • The readable settings include all three PINs (cashier, manager and service technician) as well as the WLAN password… in cleartext. • Anyone on the same network as the EPT is able to read and write the whole configuration without even having to resort to any „real“ hacking • Only firmware upgrades require authentication (pubkey checks on the device itself) 02.06.2014 52Marco Schuster, CashPOINT
  53. 53. EPT: Attack 9 – technician software #2 • The configuration settings actually even include the communication targets for the clearing house • These are writable, too • Just set up your own payment processor (reimplement the Poseidon/Atos Worldline protocol or others supported by the EPT) • This is quite a challenging task, but if finished one e.g. can set up a server that allows all cards and all PINs, or allows magstripe reads for CCs • Exploitable e.g. by „shopping for free“,… 02.06.2014 53Marco Schuster, CashPOINT
  54. 54. EPT: Attack 10 – technician software #3 • So, we again assume we have a vulnerable EPT model as well as a network tap • OPI standard supports returning the raw, unprotected track data • Normally, an EPT should be configured to suppress the PAN and other sensitive CC track data • Needless to say, this feature can be re-enabled using the vendor management tool… 1. Re-enable the track data transfer 2. monitor the network for OPI frames 3. clone the track data and go shop for free or… 4. sell them on the Darknet, cloneable card data fetches far better prices than just the number+exp date 02.06.2014 54Marco Schuster, CashPOINT
  55. 55. EPT: Attack #11 – technician software #4 • Export and load configuration • Combined with a EPT swap attack, you can essentially do an undetectable swap as even the PINs and the network config will be cloned • Best done by rogue staff 02.06.2014 55Marco Schuster, CashPOINT
  56. 56. EPT: Attack 12 – Offline payments • By disrupting communication with the payment processor, you can force the terminal into „offline mode“ • Normally, offline transactions carry a limit set by the network provider (e.g. no offline transactions > 50 €) to reduce fraud or bouncing of payments (online transaction checks the limits and the money available as well as stolen cards checking) • Offline mode is used to speed up processing times as the connection setup and teardown is done only at sync • The limits can be overridden by requiring an offline transaction in the OPI command – use network MITM to manipulate it • Alternative: manipulate the terminal settings to change the limits • Easier alternative: some terminals allow changing the limits with the Manager PIN 02.06.2014 56Marco Schuster, CashPOINT
  57. 57. EPT: Countermeasures • CCV and others have equipped their EPTs with anti-opening and anti-reverse engineering measures • If you open the casing, the ROMs erase themselves • To hinder manipulation efforts, PoS terminals and EPTs should reboot themselves daily using netbooting and signature checks • CashPOINT systems check their own source via git and netboot (the terminal clients are nothing more than a browser, anyway) 02.06.2014 57Marco Schuster, CashPOINT
  58. 58. EPT: Countermeasures • Stores should deploy basic security measures – ALWAYS keep operating systems and software up to date – Deploy IDS (Intrusion Detection System) and ARP sponges (these prevent the described MITM attack) – isolate EPTs into own network and allow only specific PoS terminals to talk to specific EPTs (by firewall rules in the router) – Connect EPTs via separate WiFi network only in order to prevent hotwiring attacks, keep the keys off-site to prevent terminal swap attacks during burglaries – Find out the ports of the manufacturer tools and lock them down in the firewall! • Thwart manipulation of EPT command traffic: Replace the hardware firewall between EPT and PoS LAN with a locked-down server – validates EPT payment commands against billing databases – prevents Abort/CardSwipe-based attacks – If done as an abstraction layer, this prevents attackers in the PoS LAN to send arbitrary/malicious data to the EPTs 02.06.2014 58Marco Schuster, CashPOINT
  59. 59. EPT: Situation overview • Fraud volume: SEPA area in 2012 had € 1 billion according to ECB, unfortunately EPT/PoS fraud and ATM fraud is summarized in this report • In contrast to ATMs, the Electronic Payment world widely lacks regulations unless the merchant does the CC processing themselves (in this case, the strict PCI DSS ruleset applies) • Lack of standardization, home-grown solutions dominate the market • „Security by obscurity“ and „Security by not looking“ are the most common security guidelines • Biggest threat for merchants: their own staff – Ignorant to security issues (e.g. the CardSwipe attack or plugging in attacker‘s smartphones to charge them) – Malevolent, actively involved, e.g. by installing network taps – Infiltration by external entities 02.06.2014 59Marco Schuster, CashPOINT
  60. 60. EPT: Situation overview • Merchants and hardware/software vendors don‘t really take care of security unless something happens • Small merchants most often have no IT security experience and background, most also don‘t consult IT security experts when setting up their systems • Even big EPT vendors do not distribute basic IT security guidelines (like network separation) to their clients, most people simply plug their EPTs into their LAN without taking any further care • The author has seen even internet cafés with the EPTs reachable from the café computers… and the café provided open WiFi! 02.06.2014 60Marco Schuster, CashPOINT
  61. 61. EPT: What Is Badly Missing • The ZVT protocol should be out-phased and replaced by OPI or a successor. It is too complex and subtle implementation differences make software development harder (and thus more error-prone) • OPI should be revised to include mandatory transport encryption using well-known cryptography (e.g. TLS) as well as authentication, both of the PoS-EPT relationship as well as access rights 02.06.2014 61Marco Schuster, CashPOINT
  62. 62. EPT: What Is Badly Missing • EPT receipts and data communication should include digital signatures to prevent MITM attacks or forgery – the INSIKA project, digitally signing receipts with ECC to prevent tax fraud, can serve as a technology demonstrator where verification of a receipt is possible for everyone, without access to the store systems – These digital signatures should also be device-unique to prevent EPT swap attacks • The card swipe should be eliminated for every kind of usage, including customer loyalty programs. Magstripe technology simply has proven to be totally insecure and ripe with fraudsters. Current usage is, next to credit cards, also the German OLV (Offline Lastschrift-Verfahren) 02.06.2014 62Marco Schuster, CashPOINT
  63. 63. EPT: How To Revise OPI 1. The entire development process for an OPI successor MUST be done fully public, led by one working group. The OPI situation where one part of the spec is authored by Wincor and another part is authored by CCV or other vendors must not repeat. 2. The new specification (called hereafter SPT – „Secure Payment Transport“) must support TLS encryption and public-key authorization using robust cryptography from the beginning and require it for all communication. 3. The entire payment terminal software, or at the very least the stacks responsible for communications, MUST be open-sourced. Security by obscurity is not an option anymore. 02.06.2014 63Marco Schuster, CashPOINT
  64. 64. Summary: Customers • Ask your bank to deactivate the magstripe so that in the event the card becomes stolen or cloned, the clone is useless • Do not write the PIN down on the cards or in your pockets… • Do not use simple PINs if you can choose them (especially not 0000, 1234 and the likes) • Do not throw away payment receipts, black them out with a lighter or an old clothing iron first (receipts are printed on thermal-sensitive paper) 02.06.2014 64Marco Schuster, CashPOINT
  65. 65. Summary: Customers • Get IT consulting and keep your computer safe! Basic anti- virus solutions are free for personal use and keep a lot of the script-kiddies away. • Use an ad blocker, ad networks are a very effective way of malware distribution • If you can afford it: use a secondary computer only for banking, preferably with a Linux system booted from CD- ROM. • Do not do online banking in internet cafés, public WiFis or on any other system out of your control! • Do not do online banking on smartphones, if possible. • Use encryption features of your computers and smartphones. 02.06.2014 65Marco Schuster, CashPOINT
  66. 66. Summary: banks / ATM owners / Payment processors • Banks already know most of the contents of this talk • But a number of companies operate private ATMs, e.g. for employees or host ATMs of banks • Customers need to be educated about security, especially small-business clients. This is often enough overlooked. • Provide all customers with basic IT consulting for free • In the event of a card data breach, you are the ones who have to pay the upfront costs as well as the lack of trust of customers resulting from the breach and the inconvenience observed in the Target hack, when CCs had to be revoked right during Christmas shopping! 02.06.2014 66Marco Schuster, CashPOINT
  67. 67. Summary: banks / ATM owners / Payment processors • Magstripe solutions MUST be eradicated world-wide, the sooner the better for everyone. No excuses. • Invest in security consulting and pen testing! • If you decide to cooperate and make standards, do so in the open. Invite the community to work with you • Make standards available free of charge so they can be inspected for security issues! 02.06.2014 67Marco Schuster, CashPOINT
  68. 68. Summary: merchants accepting cards • Get external IT and security consulting • Even the $10/h CS student from next door is better than no consulting at all (simply plugging in the EPT/PoS and hope it works) • Do not fall for anyone claiming to „guarantee security“. The bad guys always are at the advantage • The harder you make it for thieves and hackers to invade your security, the more likely is they‘ll just go away and find someone easier to exploit 02.06.2014 68Marco Schuster, CashPOINT
  69. 69. Summary: merchants accepting cards • Basic IT security and procedures do not cost much to implement, lots of them are even free • This includes AV and firewall solutions • Keep up with the IT world – most business areas have their own focused news magazines, regularly carrying information relevant to IT • Update your systems, as soon as patches arrive! • When vendors discontinue a product, replace it as soon as possible. Unsupported (and therefore unpatched) systems are a prime target for hackers 02.06.2014 69Marco Schuster, CashPOINT
  70. 70. Summary: software developers / IT Consulting • Educate yourself about IT security • Collaborate with others, hire others to check your security work • Do not roll your own crypto, use well known building blocks from known-good sources • Even if OpenSSL and GnuTLS have had their major issues: these libraries are far more unlikely to contain bugs than your own crypto • Publish your source code. Given enough eyeballs, all bugs are shallow 02.06.2014 70Marco Schuster, CashPOINT
  71. 71. Summary: software developers / IT Consulting • Do not make any assumptions when building threat models (e.g. do not assume that no unauthorized people can enter the premises without monitoring) • If you experience a breach, tell others about it. It may be shameful, it may cost your company some clients, but it is better for the whole community • Assume all user input and all communications to be hostile. Do not skip security because „a RS232 link cannot be monitored, hijacked or manipulated“ or the likes. • Do not consider a small merchant an unlikely target for hackers. Bad guys are after the cards, not after the merchant • Do not use low-level security just because the ROI is too low. Security is paramount in a world filled with crooks 02.06.2014 71Marco Schuster, CashPOINT
  72. 72. References • ATM USB stick infection: windows-xp-robbed-with-infected-usb-sticks-yes-most-atms-still- run-windows • ATM network infiltration (by installing a cellphone!): phone-to-hack-atm-machine-with-an-sms.html • ATM PIN pad security: pin-numbers-hacked/ • Fake smart cards hacking ATMs: hack-atms/ • Manipulated fuel pumps: Tankstelle-geschlossen;art934,1213712 02.06.2014 72Marco Schuster, CashPOINT
  73. 73. References • ATM hacker who published common-hardware- key vulnerability at Black Hat 2010, died in July 2013: made-atms-spit-out-cash-dies-calif • EPTs manipulated during burglary: tenbetrug/fg-ec-karten-betrug-an-der- supermarkt-kasse-20937022.bild.html • ECB fraud report 2012: audreport201207en.pdf 02.06.2014 73Marco Schuster, CashPOINT